Critical Internet Explorer and DirectX fixes released

Microsoft pushes security updates in Patch Tuesday

Microsoft has released security patches for a number of its products, fixing critical flaws in the Internet Explorer browser, DirectX and Bluetooth wireless software for Windows.

The company has also released less-critical updates for its server products, fixing bugs in Active Directory, the Windows Internet Name Service (WINS) and the Pragmatic General Multicast (PGM) protocol, used by Windows to stream media to many recipients.

A seventh update, rated moderate, adds 'kill bits' that disable buggy speech-recognition software and a program used to manage Logitech devices.

In total, 10 bugs were squashed in these seven updates, released on Tuesday.

Desktop users will want to be sure to install the critical Internet Explorer and DirectX updates as soon as possible, said Amol Sarwate, vulnerability lab manager with security vendor Qualys. Some of the flaws addressed in these patches can be exploited in web-based attacks where a criminal tricks the victim into visiting a malicious web page and then takes advantage of the bug to install malicious software on the Windows PC.

The Bluetooth vulnerability is also rated critical by Microsoft. But to exploit this flaw, attackers would have to be close enough to the Windows machine to send it maliciously encoded Bluetooth packets, Sarwate said.

One of the two bugs that was patched in the MS08-031 Internet Explorer update has been publicly known since January. Attackers could take advantage of this flaw to get unauthorised access to data stored by the browser, Microsoft said.

Another publicly disclosed bug lies in the Microsoft Speech API, which lets Windows users operate their computers using voice commands. Last year, researchers discovered that they could do things like delete files on computers that used this technology, enabled by remotely playing voice commands on a victim's computer.

The Speech API flaw was one of two programs that Microsoft has disabled with its MS08-032 'kill bit' update. The second flaw lies in an ActiveX control that ships with the Logitech Desktop Manager (LDM) software.

The LDM, which manages Logitech devices like web cameras, contains buggy software called the BackWeb Web Package ActiveX object. So if a victim running the LDM software visited a malicious Web site, attackers could theoretically take advantage of this flaw and run unauthorized software on his computer.

Third-party applications such as the Logitech Desktop Manager have been the source of many security problems for Windows users. Lately, researchers have discovered a rash of major flaws in products such as Apple's QuickTime, Adobe's Flash and other media players. Often, these bugs can be exploited by attackers in Web-based attacks in order to run unauthorised software on a victim's PC.